Google has added a new function that it is testing out for the Android mobile Operating System. The new feature encrypts Domain Name Server (DNS) requests using the Transport Layer Security (TLS) protocol and is called DNS-over-TLS, similar to how HTTP data is encrypted with TLS when using the HTTPS protocol. Android is currently the most popular mobile operating system in use around the world, and adding DNS-over-TLS would help to protect the privacy and security of users by preventing their DNS requests from being spied on by their Internet Service Provider (ISP), Virtual Private Network (VPN), hackers, and government global mass surveillance programs.
The DNS system translates web addresses into IP addresses. With encrypted DNS requests, a service provider or attacker can only tell that a request was made, but not which website was requested. It is important to note that even with DNS-over-TLS enabled that service providers and attackers will still be able to see the IP address that a user is connected to. While having an IP address could reveal what site a user is connected to, an IP address itself only truly reveals what server a user is connected to, as Shared Web Hosting Services can serve many websites using the same IP address. So enabling the encryption of DNS queries and responses does help add some additional privacy protection.
It is likely that Google intends to roll out the feature in future versions of the Android Operating System. Google previously implemented DNS-over-TLS for its Public DNS resolution service, called DNS-over-HTTPS. While using HTTPS encrypts the data sent between a user and the site’s server, thereby preventing a service provider or attacker from seeing precisely what is being sent and received, unencrypted DNS enables service providers and attackers to see what site you are connected with. The mass adoption of an encrypted DNS system would provide an additional layer of privacy and security, and make it a little harder for the governments of the world to conduct their global mass surveillance programs. Regular DNS queries and responses are sent unencrypted over Transmission Control Protocol/Internet Protocol (TCP/IP) or over User Datagram Protocol (UDP), which enables attackers to easily eavesdrop on the DNS requests a user is making, as well as enables DNS filtering, censoring, and spoofing.
Android’s DNS-over-TLS is not the only implementation of DNS-over-TLS, or the only method of encrypting DNS requests. Stubby, a DNS Privacy stub resolver also implements DNS-over-TLS. DNS-over-TLS is a proposed standard with the Internet Engineering Task Force (IETF). Another method of making encrypted DNS requests is through the use of DNSCrypt. However, DNSCrypt was never sent to the IETF as a proposed standard, as the developers never submitted a Request For Comments. Many DNS resolvers do offer support for DNSCrypt, and some even offer support for both DNSCrypt and DNS-over-TLS. Other encrypted implementations of DNS include DNSCurve, Confidential DNS, and IPSECA. The IETF’s DNS PRIVate Exchange (DPRIVE) Working Group, which seeks to create methods to protect DNS transactions, keeping them confidential even under “pervasive monitoring”, has adopted an encrypted DNS system called DNSoD, or DNS over Datagram Transport Layer Security (DTLS).
The IETF also has an entire set of specifications for securing DNS, known as Domain Name System Security Extensions, or DNSSEC. However, DNSSEC only provides for the cryptographic authentication of the origin of of DNS data, denial of existence, and data integrity, but it does not encrypt DNS responses. The new DNS-over-TLS feature would include the ability for users to disable DNS-over-TLS. The new additions to the Android Operating System also include a feature for developers to control the DNS-over-TLS function. When DNS-over-TLS is enabled and DNS requests are made to a DNS resolver which supports DNS-over-TLS, all DNS requests and responses are encrypted and made over the TLS protocol.